fix(n+1): 批量查询替代循环单查

- IsAdminBootstrapRequired: userRepo.GetByID 循环 → GetByIDs 批量
- AssignRoles: roleRepo.GetByID 循环 → GetByIDs 批量
- 在 userRepositoryInterface 补充 GetByIDs 方法签名

internal/api/handler/device_handler.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	"github.com/user-management-system/internal/api/middleware"
 	"github.com/user-management-system/internal/domain"
 	"github.com/user-management-system/internal/service"
 )
@@ -22,6 +23,15 @@ func NewDeviceHandler(deviceService *service.DeviceService) *DeviceHandler {
 	return &DeviceHandler{deviceService: deviceService}
 }
 
+func (h *DeviceHandler) currentActor(c *gin.Context) (int64, bool, bool) {
+	userID, ok := getUserIDFromContext(c)
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "unauthorized"})
+		return 0, false, false
+	}
+	return userID, middleware.IsAdmin(c), true
+}
+
 // CreateDevice 创建设备
 // @Summary 创建设备记录
 // @Description 当前用户创建设备记录
@@ -118,7 +128,12 @@ func (h *DeviceHandler) GetDevice(c *gin.Context) {
 		return
 	}
 
-	device, err := h.deviceService.GetDevice(c.Request.Context(), id)
+	actorUserID, isAdmin, ok := h.currentActor(c)
+	if !ok {
+		return
+	}
+
+	device, err := h.deviceService.GetDeviceForActor(c.Request.Context(), actorUserID, id, isAdmin)
 	if err != nil {
 		handleError(c, err)
 		return
@@ -157,7 +172,12 @@ func (h *DeviceHandler) UpdateDevice(c *gin.Context) {
 		return
 	}
 
-	device, err := h.deviceService.UpdateDevice(c.Request.Context(), id, &req)
+	actorUserID, isAdmin, ok := h.currentActor(c)
+	if !ok {
+		return
+	}
+
+	device, err := h.deviceService.UpdateDeviceForActor(c.Request.Context(), actorUserID, id, isAdmin, &req)
 	if err != nil {
 		handleError(c, err)
 		return
@@ -187,7 +207,12 @@ func (h *DeviceHandler) DeleteDevice(c *gin.Context) {
 		return
 	}
 
-	if err := h.deviceService.DeleteDevice(c.Request.Context(), id); err != nil {
+	actorUserID, isAdmin, ok := h.currentActor(c)
+	if !ok {
+		return
+	}
+
+	if err := h.deviceService.DeleteDeviceForActor(c.Request.Context(), actorUserID, id, isAdmin); err != nil {
 		handleError(c, err)
 		return
 	}
@@ -238,7 +263,12 @@ func (h *DeviceHandler) UpdateDeviceStatus(c *gin.Context) {
 		return
 	}
 
-	if err := h.deviceService.UpdateDeviceStatus(c.Request.Context(), id, status); err != nil {
+	actorUserID, isAdmin, ok := h.currentActor(c)
+	if !ok {
+		return
+	}
+
+	if err := h.deviceService.UpdateDeviceStatusForActor(c.Request.Context(), actorUserID, id, isAdmin, status); err != nil {
 		handleError(c, err)
 		return
 	}
@@ -270,16 +300,7 @@ func (h *DeviceHandler) GetUserDevices(c *gin.Context) {
 	}
 
 	// 检查是否为管理员
-	roleCodes, _ := c.Get("role_codes")
-	isAdmin := false
-	if roles, ok := roleCodes.([]string); ok {
-		for _, role := range roles {
-			if role == "admin" {
-				isAdmin = true
-				break
-			}
-		}
-	}
+	isAdmin := middleware.IsAdmin(c)
 
 	userIDParam := c.Param("id")
 	userID, err := strconv.ParseInt(userIDParam, 10, 64)
@@ -405,7 +426,12 @@ func (h *DeviceHandler) TrustDevice(c *gin.Context) {
 	// 解析信任持续时间
 	trustDuration := parseDuration(req.TrustDuration)
 
-	if err := h.deviceService.TrustDevice(c.Request.Context(), id, trustDuration); err != nil {
+	actorUserID, isAdmin, ok := h.currentActor(c)
+	if !ok {
+		return
+	}
+
+	if err := h.deviceService.TrustDeviceForActor(c.Request.Context(), actorUserID, id, isAdmin, trustDuration); err != nil {
 		handleError(c, err)
 		return
 	}
@@ -478,7 +504,12 @@ func (h *DeviceHandler) UntrustDevice(c *gin.Context) {
 		return
 	}
 
-	if err := h.deviceService.UntrustDevice(c.Request.Context(), id); err != nil {
+	actorUserID, isAdmin, ok := h.currentActor(c)
+	if !ok {
+		return
+	}
+
+	if err := h.deviceService.UntrustDeviceForActor(c.Request.Context(), actorUserID, id, isAdmin); err != nil {
 		handleError(c, err)
 		return
 	}